Card fraud within the Single Euro Payments Area (SEPA) increased in 2012 for the first time since 2008, driven mainly by higher internet fraud. The third report on card fraud, published today by the European Central Bank (ECB), finds that more efforts will be required to ensure the security of online card payments as internet purchases continue to grow. At the same time, fraud as a share of the total value of transactions remained below the levels recorded between 2008 and 2010.

In 2012 €1 in every €2,635 spent on credit and debit cards issued within SEPA (the European Union, Iceland, Liechtenstein, Monaco, Norway and Switzerland) was lost to fraud. That represents 0.038% of a total of €3.5 trillion in transactions, up from 0.036% in 2011. The total value of fraud increased by 14.8% in 2012 compared with 2011, reaching €1.33 billion. Compared with 2008, the overall amount of fraud decreased by 9.3%, while the value of transactions increased by 17% (see the chart). “These data show we must remain vigilant against card fraud, although it is also reassuring to see that counterfeit levels are lower inside SEPA than outside, thanks to higher security standards,” said Vítor Constâncio, Vice-President of the ECB.

The report, compiled by the Eurosystem (the ECB and the 18 national central banks of the euro area), looks at fraud using different kinds of cards (debit and credit) and according to type of usage. In 2012 some 60% of the value of fraud resulted from card-not-present (CNP) payments – i.e. payments via post, telephone or the internet – while roughly one-quarter resulted from point-of-sale (POS) terminals and about one-sixth from automated teller machines (ATMs).

CNP fraud has been on an upward trend over the past few years, and increased by 21% from 2011 to 2012. However, this must be viewed in the context of fast-growing CNP usage: data on regular CNP transactions, which were only partially available, suggest that CNP payments rose by around 15% to 20% a year between 2008 and 2012, compared with 4% a year for all transactions, i.e. including ATM and POS transactions. Significantly, increases in this kind of fraud were also observed in countries that had previously made major efforts to increase the security of the card payments via internet, albeit mostly relying on additional passwords rather than more advanced techniques such as random codes generated by a token or chip card reader. Such advanced techniques, together with awareness of the importance of security among cardholders and merchants, become necessary as fraudsters become more sophisticated. This is all the more important given that further growth in CNP usage can be expected.

Against this background, the European Forum for the Security of Retail Payments emphasised the need for higher security standards in its recommendations for the security of internet payments released in January 2013. Among other things, higher security standards are needed in order to protect the initiation of internet payments by strong customer authentication, to better protect data storage and communication, and to provide guidance to customers on best online security practices.

Higher ATM and POS fraud was caused mainly by higher counterfeit fraud committed (i.e. the moment a cloned card is used) outside SEPA. Counterfeit fraud is continuing to shift to countries outside SEPA owing to higher security standards at ATMs and POS terminals inside the area. In 2012 94% of ATM and 65% of POS counterfeit losses were incurred outside SEPA, rising sharply from 53% and 58% respectively in 2008. This situation should improve as more countries migrate to the EMV security standard, in which cards equipped with chips allow for safer infrastructure systems and authentication processes. However, where magnetic stripe usage cannot be completely avoided, card schemes and issuers should adopt further measures to prevent fraud, such as carrying out enhanced monitoring of transactions, setting limits and imposing blocks on transactions from specific countries, which could be temporarily lifted according to customers’ needs.

For credit and delayed debit cards, which are predominantly used for internet and cross-border transactions, €1 in every €1,000 (around 0.097%) was spent in a fraudulent transaction. For debit cards, which are more commonly used in stores and for cash withdrawals, the proportion was €1 in every €5,400 (0.019%). CNP fraud is usually more prevalent in mature card markets, whereas POS fraud is more common in less developed markets. However, CNP was the dominant channel for fraud in almost all countries, while also rising sharply in less developed card markets.

Country perspective

This third report shows that, on average, cards issued in France, the United Kingdom and Luxembourg experienced the highest losses from fraud as a proportion of regular transactions. In 2012 data on fraud and transactions using cards issued outside SEPA were available for the first time. A comparison shows that fraud losses occurring outside SEPA involving cards issued inside the area were lower than those occurring inside SEPA involving cards issued outside the area. The finding suggests that SEPA citizens benefit from the higher security standards associated with their cards, even though only some ATMs and POS terminals outside SEPA are compatible with these enhanced security features.